Microsoft security researchers have discovered a post-compromise tool, dubbed MagicWeb, being deployed in the wild by the threat group Nobelium. MagicWeb is a new iteration of Nobelium’s post-compromise capability FoggyWeb, with additional capabilities.
FoggyWeb was capable of exfiltrating the configuration database of compromised AD FS servers, decrypting token-signing certificates and token-decryption certificates, and downloading and executing additional malware components. MagicWeb goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly. MagicWeb is a malicious DLL that allows manipulation of the claims passed in tokens generated by an Active Directory Federated Services (AD FS) server. It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML.
NOBELIUM was able to deploy MagicWeb by first gaining access to highly privileged credentials and moving laterally to gain administrative privileges to an AD FS system. The attacker had admin access to the AD FS system and replaced a legitimate DLL with their own malicious DLL, causing malware to be loaded by AD FS instead of the legitimate binary.
MagicWeb can only be deployed if an AD FS server is first compromised with full administrative access. It is recommended organizations secure and harden their AD FS servers with equal priority to their domain controllers. Administrative access and activity should be carefully logged and monitored to avoid the misuse of stolen credentials; multifactor authentication (MFA) with no legacy or shortcut loopholes, IP and geographic monitoring of login access, strong and unique password requirements, and separation of AD FS or server credentials from other accounts to limit watering hole attacks are all recommended security controls. In addition, limiting external exposure of accounts and devices can help reduce the number of successful intrusions. A defense in-depth strategy that includes approaches to detecting lateral movement as part of post-exploitation tactics, facilitated by Threat Hunting services such as those offered by Binary Defense, is highly recommended. The Microsoft blog includes specific hunting queries and recommendations.